The Location of Data: An Issue the Courts have yet to Address

Author: Alexander Spaulding, Associate Member, University of Cincinnati Law Review

Introduction

Technology advances much faster than our judicial system that evolves slowly through precedent. However, technological advances place judges in situations where they must apply the antiquated precedential law to new technology. In December, the Second Circuit faced this problem in Microsoft Corp. v. United States,[1] when it held that the government cannot compel Internet Service Providers (ISPs) to produce electronic data that is stored overseas, even by a warrant.[2] Now, Microsoft need not comply with a warrant that sought readily-accessible data, because that data was stored on servers in Ireland. The court dealt with the data as though it were any other physical object, and did not account for the differences posed by the new technology.[3] By doing so, the court failed to address the novel issue regarding data and its lack of a territorial nature, which will pose challenges to United States law enforcement in the future. However, irrespective of the court’s considerations, the outcome of treating data territorially is beneficial from a foreign policy standpoint. Thus, even though the Second Circuit missed an opportunity to rule on the novel problem presented by data, the court shored up our foreign relations.

The Novel Issue: Where is Data?

Electronic data is significantly different than physical objects because data can be both created and accessed from anywhere with an internet connection. Although data can be created and accessed from almost anywhere, data is still physically stored in server farms located all over the world.[4] Recently, there has been significant scholarly dispute regarding where data is located for jurisdictional purposes.[5] As evidenced by the ruling in Microsoft, data is currently presumed to be located at the server’s location, as evidenced by the ruling in Microsoft, which is in line with the rules of other countries.[6] However, electronic data is arguably “un-territorial,” [7] because its physical location is largely irrelevant—so perhaps data should be considered to not have a location for jurisdictional purposes. Jennifer Daskal argues, “territorial-based rules of the game are premised on two key assumptions: that objects have an observable, identifiable, and stable location, either within the territory or without; and that the location matters.” [8] Data does not comply with either of these assumptions: (1) it is constantly flowing, and (2) its physical location has no bearing on any interaction with it. Thus, the legal location of data should arguably be anywhere that it can be accessed or created.

What the Microsoft Court Addressed: Extraterritoriality

In Microsoft, a magistrate judge issued a warrant under the Stored Communications Act[9] (SCA), requiring Microsoft to produce certain emails.[10] However, some of the emails were stored on a server in Dublin, Ireland.[11] Although the question of where data is located is one of first impression[12], and despite the ongoing debate regarding the un-territorial nature of data, the Microsoft court essentially disregarded the issue because “no party dispute[d] that the electronic data subject to this [w]arrant [are] in fact located in Ireland.”[13] Nor did a party dispute that Microsoft would have to “collect the data from Ireland.”[14] Therefore, the court found no reason to address whether data was exceptional, and defaulted to treating it like a physical object, “located” where it is stored.

Therefore, the question in Microsoft became whether an extraterritorial warrant is valid under the SCA, regardless of the warrant’s intended object. The court applied the two-part test from Morrison v. Nat’l Austl. Bank Ltd., which determines whether a statute is meant to be used extraterritorially.[15] Since (1) there is no explicit text that states that the act should be applied exterritorialy, and (2) the proposed use of the statute was not extraterritorial, the court found that the SCA does not apply extraterritorially.[16] The court found no reason to override the strong congressional presumption against the extraterritorial application of statutes.[17] Then, the court found that enforcing the warrant would be an extraterritorial application of the SCA.[18] The court reasoned that the congressional purpose of the SCA was to protect privacy, and since the privacy interest in this case was in Ireland, the warrant would apply the SCA extraterritorially, which made it invalid.[19]

Missing the Point

Although the court came to a judgment in Microsoft, the court did not address or resolve the un-territorial nature of data. Rather, the court explicitly ruled in favor of the notion that data is located on the servers where it is stored, despite never tackling the question. The court missed an opportunity to adapt to the new technology, and instead further entrenched itself in applying old law to new technology.

The Ramifications

Law enforcement officers will be severely hindered in obtaining evidence from ISPs that store their information abroad. Barring a different precedential ruling on data territoriality, there are now two paths for law enforcement to have jurisdiction over “extraterritorial” data in the future, and they come through the other branches of government. First, congress could amend the SCA to include provisions that deal with data as an exceptional circumstance. However, until that happens, law enforcement’s only option is to appeal to Mutual Legal Assistance Treaties (MLATs), which are agreements that the executive negotiates with other countries that aid in law enforcement through gathering and exchanging information. However, MLATs require bilateral action and thus often operate much more slowly.[20] Thus, the ruling means that critical information from ISPs, if it is stored overseas, may be very difficult to access under our current laws.

Other Considerations

Although the court did not consider the un-territorial nature of data, there is no guarantee that such a consideration would change the outcome of the case. First, the court could have considered the differences of data when compared to other objects, and still rejected that the difference mattered. Second, even if the court found that data is territorially unique, there is still a compelling reason to rule that seizing data stored overseas is extraterritorial and illegal—foreign policy consequences. If the United States were to authorize unilateral law enforcement intrusions into sovereign countries, it risks offending that country. Furthermore, the United States risks setting a dangerous international precedent that could allow foreign governments to unilaterally compel the production of data located in the United States through jurisdiction in its own country.[21]

Conclusion

Ultimately, considering the foreign political ramifications, the Microsoft court probably made the right decision. However, the court came to its conclusion too quickly, without addressing the debate regarding the location of data. Doing so, the court has made a precedent of dealing with data as it would deal with any physical object, something legal and technological scholars believe is outdated. The court had an opportunity to change the way data is understood, and to rule based on the unique foreign policy concerns that arise from data. Instead, the court settled for applying old law to new technology.

 

[1] 829 F.3d 197, 222 (2d Cir. 2016).

[2] Id.

[3] Id.

[4] Jonathan Nimrodi, 10 Facts You Didn’t Know About Server Farms, Cloudyn, (Sep. 8, 2014), https://www.cloudyn.com/blog/10-facts-didnt-know-server-farms/.

[5] See e.g. David R. Johnson & David Post, Laws and Borders — The Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367, 1374-1376 (1996).

[6] The same is true in the UK; the High Court reached the same conclusion. See Jack Clark, Data Jurisdiction is Where Server is Located, Says Court, http://www.zdnet.com/article/data-jurisdiction-is-where-server-is-located-says-court/#!.

[7]  Jennifer Daskal, The Un-Territoriality of Data, 125 Yale L.J. 326, 389-391 (2015).

[8] Id. at 328-9.

[9] 18 U.S.C. §§ 2701–2712 (2012).

[10] Microsoft, 829 F.3d at 200.

[11] Id. at 201

[12] See Daskal supra note 6 at 328.

[13] Id. at 209

[14] Id.

[15] Id. at 210

[16] Id.

[17]Id. at 216

[18] Id. at 220

[19] Id.

[20] Jennifer Daskal, A New UK-US Data Sharing Agreement: A Tremendous Opportunity, if Done Right, Just Security (Feb. 8, 2016).

[21] See Daskal supra note 6 at 397.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s